CVE-2024-29810

CVSS V2 None CVSS V3 None

Description

The thumb_url parameter of the AJAX call to the editimage_bwg action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the thumb_url parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted and executed. The attacker must target a an authenticated user with permissions to access this component to exploit this issue.

Overview

CVE ID
CVE-2024-29810

Assigner
AppCheck

Vulnerability Status
PUBLISHED

Published Version
2024-03-26T15:28:58.519Z

Last Modified Date
2024-03-26T15:28:58.519Z

Weakness Enumerations

CWE	URL
CWE-79	http://cwe.mitre.org/data/definitions/79.html

References

Reference URL	Reference Tags
https://appcheck-ng.com/xss-vulnerabilities-discovered-10web-photogallery-wordpress-plugin/
https://wordpress.org/plugins/photo-gallery/#developers

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-29810
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-29810

History

Created	Old Value	New Value	Data Type	Notes
2024-06-26 02:44:07				Added to TrackCVE